Multi GW, not Multi WAN
-
Hey all, I have been having a hard time figuring this one out. My network is setup like this:
Protected LAN –> DMZ --> Internet
I have 2 GW's in my "DMZ --> Internet" segment.
I am NATing from both of these firewalls to my Protected LAN. I can only have 1 default gateway, so my dilemma is this, how can I get my protected LAN firewall to return NATd traffic to the "DMZ --> Internet" firewall that is not its default gateway? Right now what is happening is that when traffic is NATd from the Non Default GW firewall in the DMZ, my protected LAN firewall sends the return traffic to its default gateway, which results in a broken connection. I think what I am trying to achieve is called source based routing, but I have no idea how to enable or configure this. Static routes aren't an option because the same external IP addresses (hundreds) will be using NATs on both firewalls.I tried searching forums and wasn't successful. Thanks a million for any assistance. I hope I made sense.
-
So right now you have 3 firewalls:
internet internet
GW1 GW2
\ /
\ /
\ /
\ /
\ /
switch
|
LANpf
|
|
LANIs the switch in front of pfSense VLAN-capable?
Basically you "can" change the setup to something like this:internet internet
GW1 GW2
\ /
\ /
\ /
\ /
\ /
LANpf
|
|
LAN–> the LANpf has 2 interfaces, one for each GW.
Like this the statetable can keep track of which connections comes from which interface.
Source NAT on pfSense wouldnt help you much.
You would have to enable source NAT on the gateways. -
I failed to mention that both Gateways are on the same subnet and same ISP, 1 is a pfSense firewall and the other is a PIX.
If their is no way to achieve this with 1 Interface then I will add another NIC to my Protected LAN firewall and reconfigure my NATs and Rules. Thank you for your help.
-
It's not that you cannot do this.
But you would have to enable source NAT on the two gateways.You certainly can do that for pfSense.
Just enable Advanced outbound NAT and create two rule like:interface WAN
source any
destination anyinterface LAN
source any
destination anylike this you should NAT inbound and outbound everything.
But adding a second interface or if it's on a VLAN cappable switch using two VLANs is IMO a lot easier.
-
ohhhhh you are very wise, i never thought about doing an AON rule for inbound, that just might do it.
Since the PIX is the default gateway I think I might be able to get away with just having the pfSense having source nat, do you agree?
I am trying to wrap my head around this, so if you dont mind I would like to be sure I understand.
I do have multiple CARP VIPs on both pfsense firewalls, so for each AON I create for my VIPs I need to create a second AON rule for the inbound traffic, is that right, or just 1 will do? That way when the NAT happens on the "DMZ –> Internet" firewall, the NAT is seen by my Private LAN pfSense as being sent from the "DMZ --> Internet" pfSense DMZ ip address, right?
-
I never tried that but i think it should work.
I'm just not sure if it NAT's from WAN to LAN too if the traffic gets forwarded via a normal NAT-rule and doesnt get "NAT-routed".
-
Thinking it out I think 1 Inbound NAT rule will suffice. I will test this once I return to work.
Thank you so very much for your quick responses, you have helped me out so much.